heroui logo

Deleting Of Net Users

Splunk Security Content

View Source
Summary
This analytic, now deprecated, was designed to detect the deletion of user accounts via the command-line tools net.exe or net1.exe on Windows systems. It utilized telemetry data from various Endpoint Detection and Response (EDR) sources, such as Sysmon and Windows Event Logs, focusing on process execution and command-line usage as key indicators. The detection indicated potential malicious activities, including user account impairment or attempts to erase traces of lateral movement by an adversary. The presence of this activity could signal unauthorized disruptions to legitimate user operations or attempts to obscure adversarial methods, complicating security investigations. For implementation, organizations needed to ingest relevant logs with necessary metadata and process these logs using the Splunk Common Information Model (CIM) for effective identification.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Windows Registry
  • Logon Session
ATT&CK Techniques
  • T1531
Created: 2025-01-24